Export Microsoft 365 Users’ Self-Service Password Reset (SSPR) Status Reports

Microsoft self-service password reset (SSPR) feature enables users to reset passwords independently, reducing help desk reliance in the organization. However, before users can utilize SSPR, admins must enable self-service password reset, and users must register their authentication methods. Once deployed, organizations often seek insight into the usage of self-service password reset. They inquire about the number of registered users, their identities, default password reset methods, and more. Therefore, consistent monitoring of self-service password reset status is vital for administrators.

To assist, this blog introduces a dedicated PowerShell script designed specifically for exporting self-service password reset status reports.

There are two methods available for exporting self-service password reset (SSPR) status reports:

Microsoft Entra admin center: Within the Usage & insights section under the Password Reset page, Microsoft 365 administrators can access the SSPR reports in the Microsoft Entra admin center. However, this report offers basic information about SSPR registered users. It doesn’t provide details on ineligible SSPR users, those eligible yet unregistered, and more. Furthermore, it doesn’t allow admins to customize reports for unregistered SSPR users, verify their license status, and many more.

PowerShell: The “Get-MgReportAuthenticationMethodUserRegistrationDetail” cmdlet provides details on SSPR status. However, getting the needed outcomes might require using the cmdlet with various filters and loops, which can take a lot of time.

To address these concerns and offer a straightforward solution, we’ve created a PowerShell script for exporting Microsoft 365 users’ SSPR status reports.

Download Script: GetSSPRstatusReport.ps1

1. The script exports 10 SSPR status reports.
2. Exports SSPR status for Microsoft 365 users.
3. Generates report on SSPR enabled users.
4. Finds SSPR disabled users.
5. Identifies users who are eligible but not registered for SSPR.
6. Finds SSPR status for Microsoft 365 admins.
7. Determines the SSPR status specifically for licensed users.
8. The script can be executed with MFA-enabled accounts.
9. It exports results to a CSV file for convenient data handling.
10. The script installs the required Microsoft Graph Beta module upon user confirmation if not already installed.
11. Supports certificate-based authentication (scheduler-friendly) method.

The exported self-service password reset status report includes the following attributes:

1. Username
2. Is SSPR Registered by User
3. Is SSPR Enabled by Admins
4. Department
5. Registered Authentication Methods
6. Default Authentication Meth
7. Job Title
8. License Status
9. Sign-in Enabled Status
10. Is Admin

The exported SSPR status report looks like the screenshot below.

After examining the attributes, are you unsure about the difference between SSPR enabled and SSPR registered? Let’s clear it up!

SSPR Enabled by Admins: Admins can enable SSPR for users to reset their own passwords. SSPR can be enabled for all, or selected users as needed in the Microsoft Entra admin center. If SSPR isn’t enabled by the admin, users can’t register for SSPR. If SSPR is enabled for a user by the admin, the value will be displayed as “True”; otherwise, it will be shown as “False”.

SSPR Registered by Users: Users need to register their authentication methods as per the organization’s SSPR policy to use the SSPR feature. This attribute indicates whether the user has completed the registration process for self-service password reset or not.

Download the PowerShell script and open Windows PowerShell to execute it. You can run the downloaded SSPR status report script in two ways:

Method 1: Run the script with both MFA and non-MFA accounts.

The report exports the self-service password reset status of all the sign-in-enabled users.

Method 2: Execute the script using certificate-based authentication (scheduler-friendly) for an unattended approach.

You can use either a certificate authority or a self-signed certificate based on your preference. Many admins prefer self-signed certificates for internal use. Specify the tenant ID, app ID, and certificate thumbprint for execution.

NOTE: To execute this PowerShell script with certificate-based credentials, you need to register an app in Azure AD.

1. Check SSPR status for Microsoft 365 Users
2. Identify SSPR enabled Microsoft 365 users
3. Detect self-service password reset disabled users
4. Find SSPR turned on but not registered users
5. Self-service password reset status of Microsoft 365 admins
6. Export SSPR status report for licensed users

Administrators can strengthen security by frequently checking SSPR status to spot and address authentication vulnerabilities. SSPR checks also help admins ensure users comply with organizational password rules and security guidelines. To determine users’ SSPR status, administrators can run the following script:

The above format exports SSPR status for all sign-in allowed users.

Consider a case where the initial SSPR policy mandated a phone number and security questions for authentication. The admin plans to replace security questions with email. However, before switching to email authentication, admins need to find all SSPR-enabled users and check their current auth methods. To list the SSPR-enabled users, admins can use the “SsprEnabledUsers” parameter as shown below:

It exclusively provides information on self-service password reset enabled users, listing their registered auth methods, default auth methods, and more details.

Disabling SSPR for certain users might be a proactive measure to mitigate potential risks. For example, if an employee is leaving the company or changing roles, disabling SSPR temporarily can prevent unauthorized access during the transition period. In such cases, monitoring SSPR-disabled users helps ensure that these measures are effectively implemented and managed. Admins can use the “SsprDisabledUsers” parameter to find all SSPR-disabled users.

The script above exports all users who are not registered for SSPR.

Despite administrators enabling self-service password reset, some users may not have completed the registration process. If users are not registered, they may turn to contact IT support for password-related issues, thereby increasing the workload for administrators.

The script below helps to identify users with SSPR turned on but not yet registered with the “SsprTurnedOnButUserNotRegistered” parameter.

The above format exports M365 users who are eligible but not registered for SSPR.

Microsoft 365 admins are typically enabled by default for self-service password reset (SSPR) with a two-gate policy. However, relying on weak authentication methods like phone number or email verification poses a risk of social engineering attacks. Admin accounts may be targeted by sophisticated attackers to bypass these measures. It’s crucial to ensure admins have registered for SSPR and use strong authentication methods to mitigate this risk. To check the SSPR status for Microsoft 365 admins, run the script with the “AdminsOnly” parameter.

The exported report displays the self-service password reset status of all administrators within your organization. You can obtain a more detailed report on admin SSPR status by combining parameters as shown below:

To retrieve SSPR-enabled admins:

The exported report provides the list of SSPR-enabled admins in your organization.

For SSPR-disabled admins in Microsoft 365:

The script specifically retrieves the SSPR-disabled admins in Microsoft 365.

In many organizations, admins must ensure that all licensed users have SSPR enabled to fully utilize resources. By filtering SSPR status for licensed users, admins can optimize resource allocation effectively. Use the script below to retrieve the self-service password status exclusively for licensed users with the “LicensedUsersOnly” parameter.

Note that self-service password reset is a premium feature. By executing the script, you can confirm the SSPR status of licensed users in your organization. Additionally, by combining parameters, you can obtain detailed reports on the SSPR status of licensed users.

SSPR-enabled licensed users:

By executing the above script, admins can swiftly identify the number of licensed users enabled for SSPR.

SSPR-disabled licensed users:

The format below retrieves SSPR-disabled users who are licensed in the organization.

Licensed users with SSPR turned on but not registered:

The exported report lists the licensed users with SSPR turned on but not registered.

If you’re among those who find exporting SSPR reports using PowerShell cumbersome or time-consuming, here is an easy solution. Introducing AdminDroid Microsoft 365 Reporter for seamless password management without the need for extensive PowerShell scripting.

AdminDroid offers a range of password reports for free, including crucial SSPR report, making it easy for admins to track user account resets and activity. With AdminDroid, you can effortlessly track self-service password resets with username, reset time and whether it succeeded or not, etc. The comprehensive SSPR report from AdminDroid enables seamless monitoring of all self-service password resets, enhancing security by preventing unauthorized access.

Moreover, you can also monitor the following password reports from AdminDroid to enhance password management efficiency.

• Password Reset Performed by Admin
• User Password Changes
• Password Reset Forced by Admin for User to Change Password

Additionally, with AdminDroid’s Azure AD auditing tool, you can monitor user logins, activities, admin role changes, group audits, and setting adjustments without much effort. Moreover, the free Azure AD reporting tool from AdminDroid offers 190+ reports, providing a comprehensive 360-degree view of your Microsoft Entra environment for improved Azure AD management.

Apart from Microsoft Entra reports, AdminDroid offers 1800+ detailed reports and 30+ appealing dashboards covering various services like SharePoint Online, Microsoft Teams, Exchange Online, Power BI, Stream, and Viva Engage.

But wait, there’s more! AdminDroid offers a range of advanced features, including real-time alerting, seamless scheduling, granular access delegation, and advanced filters. The user-friendly interface ensures effortless navigation and adaptation to your unique needs.

Why settle for the ordinary when you can experience the extraordinary? Push the download button of AdminDroid now to explore the 15-day trial and experience effortless Microsoft 365 administration.

That’s it! I hope this blog has shown you how to effortlessly export self-service password reset status reports using PowerShell. Feel free to reach us for any queries or assistance.